Dealing with Overwhelming Volume of Security Alerts
When it comes to incident detection and response, enterprise organizations are collecting, processing, and analyzing more security data through an assortment of new analytics tools – Endpoint detection and response (EDR) tools, network analytics tools, threat intelligence platforms (TIPs), etc.
When each of threat management or security analytics tools sees something suspicious, it generates a security alert and therein lies the problem – enterprise organizations are getting buried by an avalanche of security alerts. According to ESG research (note, I am an ESG employee):
- When asked to identify their top incident response challenges, 36% of the cybersecurity professionals surveyed said, “keeping up with the volume of security alerts.”
- Forty-two percent of cybersecurity professionals say that their organization ignores a significant number of security alerts because they can’t keep up with the volume.
- When asked to estimate the percentage of security alerts ignored at their organization, 34% say between 26% and 50%, 20% of cybersecurity professionals say their organization ignores between 50% and 75% of security alerts, and 11% say their organization ignores more than 75% of security alerts. Mama Mia, that’s a lot of security alerts left on the cutting room floor.
All told, the ESG data indicates that cybersecurity professionals are struggling to keep up with security alert volume and doing their best to identify, prioritize, and address the most critical of the lot. This makes it fairly easy for cyber-adversaries to hide stealthy attacks, circumvent security controls, and fly under-the-radar through a pervasive security alert storm.
The security alert scramble described above may be a testament to cybersecurity professionals’ dedication, but it can’t be considered a best practice by any measure. What can organizations do to address and improve this fire drill approach?
1. Talk to SIEM vendors and its customers. Let’s face it, SIEMs can be complex and many organizations remain behind in software revision levels, custom rule sets, and configurations. Those organizations falling behind would be well served to reach out to their SIEM providers for help. Vendors like AlienVault, IBM, LogRhythm, McAfee, and Splunk offer professional services and can pull from their experience across thousands of installations. Beyond the vendors themselves, it can be worthwhile to join customer groups to hear more about best practices, lessons learned, and success stories.
2. Consider new types of products based upon machine learning. These tools are meant to compare, enrich, and contextualize disparate security alerts to sort real cyber-attacks from basic security alert noise. For example, products from vendors like Caspida (Splunk), E8, Exabeam, and Niara (HP) are designed to work their machine learning magic and then aggregate security alerts so that security teams have a breadcrumb trail of events and alerts indicating real security issues. Note that this technology remains immature so the principle of caveat emptor truly applies here.
3. Consider incident response automation and orchestration. Security operations is often challenging due to a reliance on tedious processes, informal collaboration between security and IT operations teams, and manual remediation actions. To improve productivity, CISOs should look at orchestrating processes (i.e. human-to-human, machine-to-human, machine-to-machine), and automating investigations and remediation tasks. This space is white hot so there are many commercial tools (Hexadite, Phantom, Resilient (IBM), Siemplify, ServiceNow, etc.) and open source software options (Netflix FIDO, RTIR, etc.) available.
4. Get help. Let’s face it, triaging, prioritizing, and investigating security alerts isn’t easy and it’s only getting more difficult. CISOs should honestly assess their staff’s ability and know when to throw in the proverbial towel. Managed service providers like CSC, FireEye, Unisys, SecureWorks, Symantec, and Verizon can help here.
It is also worth noting that the global cybersecurity skills shortage precludes ANY organization from simply hiring their way out of this mess. CISOs must do something soon before the volume of security alerts simply buries the security operations team.